News

Crucible Version 6.1 – General Availability

March 5, 2019

As an industry-leading
provider of advanced security and virtualization solutions for embedded mission
systems, Star Lab works hard to ensure that its own products, as well as its
customers’ systems, are fully-patched against late-breaking software
vulnerabilities, typically before such bugs become publicly known.

The latest release of
Crucible (Version 6.1), is a showcase example of such attention to ensuring
customer success. Version 6.1 of Crucible addresses several vulnerabilities
which have been recently identified by the Xen Project developer community. As
a member of the Xen security pre-disclosure list, the Crucible team has been
hard at work validating, reviewing and testing these patches since the bugs
were first discovered within the Xen community. This testing has also included
verification activities to ensure these security patches do not break or alter
the functionality of Crucible, or customer systems. Furthermore, Crucible has
unique security mitigations in place that inherently prevent exploitation of
many of the identified security vulnerabilities on production systems.

Crucible 6.1 addresses the
following vulnerabilities in open-source Xen:

XSA-291 – Requires a
malicious or buggy (guest) kernel to incorrectly access physical device memory
as is the case for devices which are physically passed thru to the guest. This
was partly mitigated by Crucible / Titanium enforcing driver signing and
disabling access to /dev/mem (thereby removing several vectors of making
malicious kernel modifications).

XSA-284 – Requires
a (PV) guest with device pass thru

XSA-290 – Requires a malicious or buggy (guest) kernel using
linear page tables. The partial mitigations are similar to XSA-291.

XSA-287 – Requires a PV guest
to execute a timing related attack around the XENMEM_exchange
hypercall. Crucible enforces FLASK / XSM policy around this hypercall
call (significantly hindering the ability to make use of the hypercall), and
additionally uses a strict resource assignment paradigm making the timing attack
harder to execute in practice.

XSA-293 – Requires a PV guest
(likely) running Linux. Crucible / Titanium can be configured to enforce a “full
system mode” of operation, in which no untrusted executables are permitted to
run. Additionally, Crucible / Titanium enforce driver signing and disable
access to /dev/mem (thereby removing several vectors of making malicious kernel
modifications). Further Crucible / Titanium remove kernel features and
functionality that could be used to pivot or gain elevated execution context.

XSA-285 – Requires a (malicious) PV guest. Crucible does not “hotplug” hardware into a guest (all hardware is statically assigned at machine creation). Additionally, Crucible does not permit untrusted guests (all guests are verified before launched, and only verified guests are launched) and there is no access to DOM-0 at runtime.

XSA-292 – Requires a
(malicious) PV guest.

Overall system security is
dependent not only on the individual components, but also how the components
are configured as a system, how the system is used, and the steps taken by
operators to reduce system attack surface. The Crucible tooling is specifically
designed to ensure that system configurations are secure-by-default, and that
unsafe configuration are inherently prohibited. For more information about
Crucible 6.1, please contact Star Lab at [email protected]